I want to add a password blacklist that would prevent the 1000 most common passwords from being used in order to mitigate shallow dictionary attacks. Is there any negative implication of storing this blacklist in the database?

I think security implication is out of context for your question more relevant question would be what benefit we can get and how to maintain such a list. Your can also review previous post on same topic security.stackexchange.com/questions/39051/…
–
Ali AhmadAug 18 '13 at 14:51

2

I'm the author of the similar question linked to above--which was marked [duplicate] and didn't receive much attention. Then this question comes along and gets crazy upvoted. I will never understand how these SE sites work.
–
brentonstrineAug 22 '13 at 20:40

5 Answers
5

In that order of magnitude (1000 passwords), I don't see any down sides from a security point of view. If anything, I'd say it's a good idea. Granted, you'll be shrinking the pool of possible passwords which, theoretically, decreases the security. In practice, however, those most commonly used passwords will be one of the first wordlists an attacker would try.

In fact, I've seen a few web services disclosing this in their registration forms. Some even block whole dictionaries in addition to common passwords.

I wouldn't be surprised if people choosing xyz for a password just change it to xyz1 after getting a message that their password is blacklisted. Now as an attacker you could try some simple variations of words in the blacklist first, before brute-forcing.
–
AerusAug 19 '13 at 9:53

I agree with @Aerus, you should consider making a powerful statement to users at the point of refusing their password on the grounds you detected it was too weak, to ensure they don't simply append a single character to get around the blacklist. User education is paramount. Also, consider preventing enumeration of the blacklisted passwords.
–
deed02392Aug 19 '13 at 12:50

Not only is this not a bad idea, it's actually quite advisable. In fact, there's a whole library already included on most Linux/Unix systems called cracklib which helps you prevent users from picking horrible passwords.

There are bindings for this library inmostlanguages, which makes checking for bad passwords pretty trivial. You just say "cracklib, is this password bad" and it will say something like: "this password is based on a reversed dictionary word".

From a security perspective, there should be no negative implications. The only thing I can think of will be the attacker knowing not to try those 1000 passwords if he manages to get hold of that list but that's really doesn't count.

I can see one problem in this situation, it will make brute force easier for the attacker. They will have fewer passwords to try in order to break into the account. I think you should not limit password choice to users at all.

Removing 1000 passwords from the potential passwords to try will have a negligible impact on the attacker's workload. The point here is to prevent people picking 123456, password, guest, etc.. think of it as those pesky password rules, but more controlled and sane.
–
ThomasAug 18 '13 at 15:37